Phishing Attack Causes Breach at Catawba Valley Medical Center
Catawba Valley Medical Center (CVMC), a medical center serving the greater Catawba County area based in Hickory, North Carolina, has recently announced that an unauthorised individual gained access to their systems following a successful phishing attack. It is estimated that up to 20,000 people may have been affected by the breach.
The discovery was made on August 13, 2018. The organisation acted quickly to secure the account and block out the hacker. Steps were taken to prevent the hacker from gaining further access to their systems.
Upon discovery of the email breach, steps were taken to secure the account and prevent further access and a third-party computer forensics firm was called in to assist with the investigation and determine the extent of the breach. External computer forensics consultants were brought in to help with the aftermath of the breach, and to collaborate with the internal investigators in determining the amount of damage that was done during the attack. An investigation was launched into how the hacker achieved access to the system so that the organisation could take action and make their systems more robust to future attacks.
The investigators concluded that the attackers had access to the organisation’s servers between July 4 and August 17, 2018. The hackers gained access to the accounts after three employees responded to phishing emails. Phishing is a form of fraud in which the criminal attempts to obtain sensitive information by pretending to be a trustworthy entity. These types of attacks are most commonly made over email.
In the aftermath of the attacks, attempts were made to determine the extent of the damage. It was discovered that some emails in the affected accounts contained patients’ protected health information including names, dates of birth, details of medical services received at CVMC, health insurance details, and for certain patients, Social Security numbers.
Patients affected by breaches such as this are often at high risk of being victims of identity fraud. However, investigators could not find any evidence to suggest that any emails had been accessed or copied by the hackers. Furthermore, there has been no indication that any of the patient health information has been used for malicious purposes.
In accordance with HIPAA’s Breach Notification Rule, all patients who were affected by the breach and may have had their protected health information (PHI) compromised were notified by CVMC on October 12, 2018. The organisation even created a dedicated call center to handle patient enquiries and concerns regarding their data. Those affected by the breach are recommended to carefully review all of the statements they receive from their insurance carrier. If they have been billed for any services which they haven’t received, they must inform the relevant authorities immediately.
The phishing incidents have prompted CVMC to hire security experts to educate their employees on the dangers of phishing attacks and best practices on how to prevent them. They have also updated their security systems to a new, more robust email security system. In the coming months, CVMC will continue to upgrade hardware and software as appropriate to repel malicious threats.
Due to the scale of the breach, a breach summary was posted on the HHS’ Office for Civil Rights’ breach portal.
The Catawba Valley Medical Center breach is one of many attacks on healthcare providers in recent years. Medical organisations are particularly lucrative targets for cybercriminals, due to the high black-market value of medical information. They also make for particularly easy pickings; robust and comprehensive security systems are often expensive and difficult to implement, and already overworked and under-funded healthcare organisations struggle to cope.
However, the financial penalties levied against organisations for non-compliance with HIPAA are also hefty. The initial investment of installing strong safeguards on patient data is worthwhile, both in terms of patient security and avoiding HIPAA violation fines.